Skip to content

fix(automerge): keep check green for non-genuine dependabot PRs#476

Merged
timdittler merged 1 commit into
mainfrom
fix-dependabot-automerge-silent-fail
Jul 3, 2026
Merged

fix(automerge): keep check green for non-genuine dependabot PRs#476
timdittler merged 1 commit into
mainfrom
fix-dependabot-automerge-silent-fail

Conversation

@timdittler

Copy link
Copy Markdown
Contributor

What changed

Added continue-on-error: true to the Load dependabot metadata step in template_automerge_dependabot.yml.

Why needed

The job runs whenever the PR author login is dependabot[bot]. If dependabot/fetch-metadata can't verify the commit signature (rebased or otherwise non-genuine dependabot PR), it calls setFailed and the whole job goes red, showing a failing check in the PR overview even though nothing needed merging. Example: patroni-selfheal run.

Why safe

When the step soft-fails it produces no outputs. The merge step's if requires steps.metadata.outputs.update-type to equal a real value (version-update:semver-*); an empty value matches nothing, so the merge step is skipped. Outputs come only from the action, so a PR can't spoof them. Genuine dependabot PRs still merge exactly as before; everything else no-ops to a green check.

How to review

Confirm the merge step still gates on a concrete update-type, and that no step runs after it (it's the last step, so a skip ends the job green).

Soft-fail the fetch-metadata step so unverified dependabot PRs no longer
show a red check in the PR overview.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@timdittler timdittler marked this pull request as ready for review July 3, 2026 07:45
@timdittler timdittler requested a review from a team as a code owner July 3, 2026 07:45
@timdittler timdittler requested review from 0x46616c6b and axdotl July 3, 2026 07:45
@timdittler timdittler merged commit c5c9aec into main Jul 3, 2026
8 checks passed
@timdittler timdittler deleted the fix-dependabot-automerge-silent-fail branch July 3, 2026 08:38
@github-actions github-actions Bot locked and limited conversation to collaborators Jul 3, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants